Mobile Threat Blog

Share

Exaspy: Big Name but So Far a Small Footprint

Exaspy is the name of a new commercial Android spyware package found in a fake app by Skycure Research Labs in September. As many spyware packages do, this one gives an attacker access to chats, messages, audio, pictures, contacts and historical logs and enables communications with a CNC (command and control) server.

While the name “Exaspy” and the category of spyware are potentially alarming, to date this threat is not among the top mobile security risks we’re seeing. Here’s why:

Skycure detected Exaspy on “an Android device owned by one of the company’s Vice Presidents, making it likely this was a targeted attack.

We found no devices in our enterprise database with apps infected by Exaspy.

We have not seen any other evidence of Exaspy being detected in the wild.

We don’t mean to say there’s no risk from Exaspy, or that other instances will never be found. But other exploits and vulnerabilities have had a much wider impact. Compare this single instance of Exaspy, for example, with the hundreds of thousands of downloads of the recent DressCode malware, or the thousands of users impacted by Acecard, or the hundreds of apps affected by XCodeGhost. The Svpeng banking trojan has already affected 318,000 devices. The recently discovered OAuth 2.0 vulnerability is said to affect up to a billion accounts. The list goes on. So while, yes, there’s risk associated with Exaspy, to date is it limited from a risk management perspective.

Recommendation

While this particular threat is not widespread, Appthority recommends ensuring you have an effective mobile threat protection solution that detects and remediates spyware, malware and the host of other security threats that come with an increasing use of mobile devices, apps and networks.

Appthority customers concerned about Exaspy can create an app policy with the “Infected by Exaspy” behavior or simply add that behavior to an existing app policy that captures security vulnerabilities or high risk behaviors.

Further, infected spyware apps are often installed on mobile devices using side-loaded channels. Appthority recommends having a policy of not allowing side-loaded apps on corporate owned devices and using the Appthority Portal to identify and remediate mobile devices with unapproved side-loaded apps.